Security dashboard
Measuring the value of security
Increasingly, business leaders are wondering whether their investments in security outweigh the benefits. They need objective measurements of the security posture and the effectiveness of security initiatives. Because information security programmes compete for investment with other corporate initiatives, a clear strategy for value measurement is necessary.
Value may be expressed as a return on investment (ROI) or as reduction of value at risk (VAR), and may be integrated in an overall balanced scorecard (BSC). Both provide a better view on the total economic impact of information security initiatives and ongoing operations. As such, it is important to set up the following metrics:
Value may be expressed as a return on investment (ROI) or as reduction of value at risk (VAR), and may be integrated in an overall balanced scorecard (BSC). Both provide a better view on the total economic impact of information security initiatives and ongoing operations. As such, it is important to set up the following metrics:
- Key risk indicators measuring the current exposure in terms of vulnerabilities, policy violations and incidents with measurable impact
- Key performance indicators measuring how well security-related processes are working, how well company objectives are being met, how security can generate operational savings and how security can improve compliance
- Key transition indicators measuring progress of security initiatives or renewed security programmes
Why Deloitte?
A Security Dashboard designed or built by Deloitte provides executive management with more than just a snapshot of some technical security metrics. It tracks the actual situation on a continuous basis, measuring progress against set goals and providing benchmark data.
- Security posture is tracked by establishing a normalisation scheme with weighting and inclusion criteria, and setting thresholds based on past performance and risk analysis. Alerts are produced when thresholds are exceeded or targets not met.
- Progress of security initiatives is tracked by establishing a baseline, setting targets and reporting the percentage not yet completed.
Material on this website is © 2013 Deloitte Global Services Limited, or a member firm of Deloitte Touche Tohmatsu Limited, or one of their affiliates. See Legal for copyright and other legal information.
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms.